https://pulumi.com logo
Join Slack
Powered by
Hi all, what is the best practice to handle secret...
# general
g
Hi all, what is the best practice to handle secrets generated in pulumi for ephemeral env? For ex. I want to create new instance of mssql server on Azure with admin password in pulumi. One way which comes to my mind is to handle it with Azure Key Vault to not loose this password but maybe there is better approach which works natively with pulumi. Thanks
b
you can use an encrypted pulumi secret
our approach is use pulumi.random to generate the password, and put it in a keyvault
also you might want to use an azure ad group instead of a single user as the admin
so that you can add yourslef to it and log in for troubleshooting
g
ok thanks, I also thought about AD it, but in my case it look as too big overhead. What do you mean by 
encrypted pulumi secret
is there any api to add entries to Pulumi.stack.yaml? or generating passwords outside of pulumi and pass to it on 
pulumi up
with --secret?
b
yeah you can do pulumi config to set a secret
and it will make an entry you can retrieve as normal
but it will be encrypted in the yaml
g
sorry, you mean to do it with 
pulumi config set
command right?
b
yeah
g
ah ok thanks
b
iirc its --secret
g
👍
b
If you want to ceate the secret programmatically, you can use the 
pulumi.secret(v)
function and it'll be encrypted in the state file, just like the CLI does. This combines nicely with what Oliver suggested, eg generating it with the random package.
g
yes, right. it looks like simplest option, thanks
Open in Slack
PreviousNext
Powered by